JWT Decoder & Encoder

Yes, completely free with no account or signup required.

All decoding and encoding happens in your browser. Your token is never sent to any server.

Decode a JWT to read its header and payload, verify HMAC signatures, encode a new JWT with a custom header, payload, and secret, and view expiry time.

Yes. Enter your HMAC secret and the tool verifies whether the token signature is valid for the provided header and payload.

A JSON Web Token (JWT) is a compact, URL-safe token containing a signed JSON payload. It is widely used for authentication — a server issues a token that clients send with each request to prove identity.

Switch to the Encode tab, fill in the header (algorithm) and payload (claims) as JSON, enter your HMAC secret, and click Encode. The signed JWT is generated instantly.

This tool supports HMAC-based algorithms: HS256, HS384, and HS512. These use a shared secret key to sign and verify tokens.

HS256 uses a shared HMAC secret — the same key signs and verifies the token. RS256 uses an RSA private key to sign and a public key to verify, so verification can be public without exposing the signing key.

exp is the expiration timestamp in seconds since Unix epoch (1970-01-01). Add it to your payload as a number, e.g. 'exp': 1893456000. Tokens with an exp in the past are rejected.

Session cookies store a session ID server-side and require a database lookup. JWTs are stateless — the server validates them using a key with no storage lookup, making them ideal for distributed systems.

Yes. After authentication, a server issues a JWT containing the user's roles or permissions. Every subsequent request includes the JWT so the server can authorize the action without a database query.